Published 1/1/2011
Howard Mevis

Tech issues in 2011: Data storage and security

By Howard Mevis

Digital technology is reaching into every aspect of an orthopaedic surgeon’s practice. Recent regulations—particularly those on data storage and security—will have an increasingly significant impact on orthopaedic practices in 2011.

Data security
Data security is the number one technology issue for 2011.

One of the core tenets of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, designed to promote and support the use of electronic medical record (EMR) systems, is that patient health information must be protected. HITECH provides incentives for providers who use a certified EMR system and significantly strengthens and expands the security and confidentiality requirements—including the penalties for noncompliance—originally included in the Health Information Portability and Accountability Act (HIPAA).

On Jan. 1, 2011, new meaningful use requirements went into effect, and the Department of Health and Human Services (HSS) is finalizing new privacy and security rules. If you have an EMR system, it is likely that not all specified safeguards for securing patient information are in place.

In a practice with an EMR system, the most serious storage and security breakdown is a data breach. As defined by the HITECH Act, a data breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information, except in cases when the unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Furthermore, if your practice experiences a breach, you are required to announce it publicly in your local patient area through the local media and to notify each person of the breach. In addition, breaches affecting 500 or more patients are posted on a publicly accessible federal Web site. Of the more than 180 currently listed breaches, all involved paper or unencrypted data.

You, your colleagues, and your practice executives will need to work with your vendors to develop encrypted data files if you plan to exchange data with another physician or hospital, either directly or through a health information exchange. Encryption programs also require strong authentification controls for anyone who accesses the data. If an audit determines that you are not complying with the law, the results are reported to Congress.

The reporting requirement does contain a loophole. A medical practice does not have to report breaches of protected health information if the owners of the practice decide that no harm will come from the breach. But the definition of the so-called harm threshold is ambiguous.

The bottom line is that if you have a breach, your reputation in the community will be harmed, you might have to pay a fine and other civil penalties, and you could go to prison. Individuals as well as organizations will be held accountable. For more information on data security, see “Managing patient data security” (AAOS Now, December 2010).

Data storage and infrastructure
If data security is the number one technology issue, the second most important issue is data storage and infrastructure.

In an electronic practice, data is in digital form, making it accessible for activities ranging from auditing patient results to developing practice financials. Securely storing that data—either with an application service provider (ASP) or on your own servers—requires constant monitoring, updating, and improvements.

These data are critical to successful participation in quality improvement programs and clinical performance reporting, both key long-term goals of the HITECH Act. In the future, payments will be linked to quality of care rather than patient visits and reporting requirements will increase. Orthopaedic practices will need a robust data infrastructure to produce the daily, weekly, and monthly reports that lead to improvements in care quality. Your practice will need to identify the reports necessary for quality improvement and pay-for-performance.

To receive federal incentives for implementation and meaningful use of your EMR system, and to deliver quality care, you will need a well-organized data warehouse. You will also need to integrate your data with practices and hospitals that have other systems.

Data storage is a key issue for orthopaedic practices. Is it on a server in the office or “on the cloud”? Cloud computing is Web-based processing that shares resources, software, and information among computers and other devices on demand over the Internet.

The cloud might best be described as a utility. You pay for off-site storage based on consumption. Although it reduces expenditures for in-house information technology costs, the question of ownership is an important issue that must be resolved (See “Who owns the data?” AAOS Now, April 2010).

Howard Mevis is director of the AAOS electronic media, evaluation programs, course operations, and practice management group. He can be reached at mevis@aaos.org

Editor’s note: This is the first in a two-part series on technology issues in 2011.

Additional Links:
Managing patient data security

Who owns the data?

Additional information